半小时让笔记本变成一堆零件
798小店里的好玩东西
之前有提到《查看日志里root用户登录失败的ip尝试的次数》,服务器的安全问题是需要办法解决的。
fail2ban是检查各种软件的认证失败记录里找到相应的ip地址,禁止其继续访问此服务。
比如ssh服务,检查到5此失败认证就被禁止访问ssh了。
安装服务用yum很简单:
先检查iptables是否启动,必须的 chkconfig --list | grep "3:on"
启动防火墙 service iptables start
yum -y install fail2ban
service fail2ban start
如果当前没有受限的ip,应该有类似的结果:
也就是新开了一个chain防御ssh访问,优先截止受限ip,fail2ban-SSH的规则和系统规则不构成冲突,受限ip还可以访问别的服务的,比如可以访问网页。
尝试一下在另外一个ip恶意登录:
前段时间认证是正常的,可以随意输入密码,后面就一直等待,你不得不停止登录,因为被过滤了,也不返回错误,我们用nmap(可以用yum install nmap安装)可以检查到:
我们看看41的机器上的iptables规则:
也就是45的ip已经被禁止访问了。
相应的规则是在 /etc/fail2ban/jail.conf 文件中,比如可以开启ftp的验证检查
注意:重启iptables服务后,规则就丢失了。
原创内容如转载请注明:来自 阿权的书房
fail2ban是检查各种软件的认证失败记录里找到相应的ip地址,禁止其继续访问此服务。
比如ssh服务,检查到5此失败认证就被禁止访问ssh了。
安装服务用yum很简单:
先检查iptables是否启动,必须的 chkconfig --list | grep "3:on"
启动防火墙 service iptables start
yum -y install fail2ban
service fail2ban start
如果当前没有受限的ip,应该有类似的结果:
[root@aslibra ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
也就是新开了一个chain防御ssh访问,优先截止受限ip,fail2ban-SSH的规则和系统规则不构成冲突,受限ip还可以访问别的服务的,比如可以访问网页。
尝试一下在另外一个ip恶意登录:
[root@aslibra ~]# ssh 192.168.1.41
The authenticity of host '192.168.1.41 (192.168.1.41)' can't be established.
RSA key fingerprint is 73:3c:8d:3e:6d:f9:ef:11:40:8f:bc:3e:2d:20:3f:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.41' (RSA) to the list of known hosts.
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied (publickey,gssapi-with-mic,password).
[root@aslibra ~]# ssh 192.168.1.41
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied (publickey,gssapi-with-mic,password).
[root@aslibra ~]# ssh 192.168.1.41
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
[root@aslibra ~]#
The authenticity of host '192.168.1.41 (192.168.1.41)' can't be established.
RSA key fingerprint is 73:3c:8d:3e:6d:f9:ef:11:40:8f:bc:3e:2d:20:3f:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.41' (RSA) to the list of known hosts.
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied (publickey,gssapi-with-mic,password).
[root@aslibra ~]# ssh 192.168.1.41
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied (publickey,gssapi-with-mic,password).
[root@aslibra ~]# ssh 192.168.1.41
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
Permission denied, please try again.
root@192.168.1.41's password:
[root@aslibra ~]#
前段时间认证是正常的,可以随意输入密码,后面就一直等待,你不得不停止登录,因为被过滤了,也不返回错误,我们用nmap(可以用yum install nmap安装)可以检查到:
[root@aslibra ~]# nmap 192.168.1.41
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-01-15 21:47 CST
Interesting ports on localhost (192.168.1.41):
Not shown: 1678 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
MAC Address: 00:0C:29:81:CD:A6 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 2.967 seconds
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-01-15 21:47 CST
Interesting ports on localhost (192.168.1.41):
Not shown: 1678 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
MAC Address: 00:0C:29:81:CD:A6 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 2.967 seconds
我们看看41的机器上的iptables规则:
[root@aslibra fail2ban]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all -- 192.168.1.45 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all -- 192.168.1.45 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
也就是45的ip已经被禁止访问了。
相应的规则是在 /etc/fail2ban/jail.conf 文件中,比如可以开启ftp的验证检查
注意:重启iptables服务后,规则就丢失了。
原创内容如转载请注明:来自 阿权的书房
收藏本文到网摘
